How-To: Create a Scheduled Search using GraphQL

You can create a scheduled search using the mutation createScheduledSearch.

This mutation requires a long list of input parameters, for some of them it worth it to specify their meaning and format:

  • viewName: it is the name of an existing view/repository

  • queryString: it’s the Humio query you want to schedule, in this example is a simple count() function, but it could be a complex query

  • queryStart: start of the relative time interval for the query (for details about the format check Relative Time Syntax)

  • queryEnd: end of the relative time interval for the query (for details about the format check Relative Time Syntax)

  • schedule: Cron pattern describing the schedule to execute the query on

  • timeZone: Time zone of the schedule, it only supports UTC offsets like ‘UTC’, ‘UTC-01’ or ‘UTC+12:45’

  • backfillLimit: User-defined limit, which caps the number of missed searches to backfill

  • enabled: boolean to enable/disable the scheduled search

  • actions: Array of action Ids to fire on the query result

  • labels: Labels attached to the scheduled search

To create a search:

javascript
mutation{
  createScheduledSearch(input:{
    viewName: "<REPO_NAME>",
    name: "<SCHEDULED_SEARCH_NAME>",
    description: "Description for the scheduled search",
    queryString: "count()",
    queryStart: "26h",
    queryEnd: "2h",
    schedule: "0 2 * * *",
    timeZone: "UTC-04:00",
    backfillLimit: 0,
    enabled: true,
    actions: ["<ACTION_ID>"],
    labels: []}){
      name
  }
}

To get the action IDs for a specific repository, you can use this query:

javascript
query {repository(name:"<REPO_NAME>"){
  name
  alerts {
    name
    actions
    }
  }
}

Here’s an example using curl:

shell
curl -v -XPOST -H "Content-Type:application/json" http://localhost:8080/graphql -d \
   '{"query": "mutation{createScheduledSearch(input:{viewName:\"<REPO_NAME>\", \
   name: \"<SCHEDULED_SEARCH_NAME>\",description: \"Description for the scheduled search\", \
   queryString: \"count()\",queryStart: \"26h\", queryEnd: \"2h\", schedule: \"0 2 * * *\", \
   timeZone: \"UTC-04:00\",backfillLimit: 0, enabled: true, actions: [\"<ACTION_ID>\"], labels: []}){name}}"}'

This is an example of cURL call on a self-hosted instance of Humio. You can also run it against the public Humio hostname using an actual user API token (which is obtained from the Your Account area from the menu on the right in the header).